2 research outputs found
Network security mechanisms and implementations for the next generation reliable fast data transfer protocol - UDT
University of Technology, Sydney. Faculty of Engineering and Information Technology.TCP protocol variants (such as FAST, BiC, XCP, Scalable and High Speed) have
demonstrated improved performance in simulation and in several limited
network experiments. However, practical use of these protocols is still very
limited because of implementation and installation difficulties. Users who
require to transfer bulk data (e.g., in Cloud/GRID computing) usually turn to
application level solutions where these variants do not fair well. Among protocols
considered in the application level are User Datagram Protocol (UDP)-based
protocols, such as UDT (UDP-based Data Transport Protocol). UDT is one of the
most recently developed new transport protocols with congestion control
algorithms. It was developed to support next generation high-speed networks,
including wide area optical networks. It is considered a state-of-the-art protocol,
addressing infrastructure requirements for transmitting data in high-speed
networks. Its development, however, creates new vulnerabilities because like
many other protocols, it relies solely on the existing security mechanisms for
current protocols such as the Transmission Control Protocol (TCP) and UDP.
Certainly, both UDT and the decades-old TCP/UDP lack a well-thought-out
security architecture that addresses problems in today’s networks. In this
dissertation, we focus on investigating UDT security issues and offer important
contributions to the field of network security. The choice of UDT is significant for
several reasons: UDT as a newly designed next generation protocol is considered
one of the most promising and fastest protocols ever created that operates on top
of the UDP protocol. It is a reliable UDP-based application-level data-transport
protocol intended for distributing data intensive applications over wide area
high-speed networks. It can transfer data in a highly configurable framework and
can accommodate various congestion control algorithms. Its proven success at
transferring terabytes of data gathered from outer space across long distances is
a testament to its significant commercial promise. In this work, our objective is to
examine a range of security methods used on existing mature protocols such as
TCP and UDP and evaluate their viability for UDT. We highlight the security
limitations of UDT and determine the threshold of feasible security schemes
within the constraints under which UDT was designed and developed.
Subsequently, we provide ways of securing applications and traffic using UDT
protocol, and offer recommendations for securing UDT. We create security
mechanisms tailored for UDT and propose a new security architecture that can
assist network designers, security investigators, and users who want to
incorporate security when implementing UDT across wide area networks.
We then conduct practical experiments on UDT using our security mechanisms
and explore the use of other existing security mechanisms used on TCP/UDP for
UDT. To analyse the security mechanisms, we carry out a formal proof of
correctness to assist us in determining their applicability by using Protocol
Composition Logic (PCL). This approach is modular, comprising a separate proof
of each protocol section and providing insight into the network environment in
which each section can be reliably employed. Moreover, the proof holds for a
variety of failure recovery strategies and other implementation and configuration
options. We derive our technique from the PCL on TLS and Kerberos in the
literature. We maintain, however, the novelty of our work for UDT particularly
our newly developed mechanisms such as UDT-AO, UDT-DTLS, UDT-Kerberos
(GSS-API) specifically for UDT, which all now form our proposed UDT security
architecture.
We further analyse this architecture using rewrite systems and automata. We
outline and use symbolic analysis approach to effectively verify our proposed
architecture. This approach allows dataflow replication in the implementation of
selected mechanisms that are integrated into the proposed architecture. We
consider this approach effective by utilising the properties of the rewrite systems
to represent specific flows within the architecture to present a theoretical and
reliable method to perform the analysis. We introduce abstract representations of
the components that compose the architecture and conduct our investigation,
through structural, semantics and query analyses.
The result of this work, which is first in the literature, is a more robust
theoretical and practical representation of a security architecture of UDT, viable
to work with other high speed network protocols
Compositional logic for proof of correctness of proposed UDT security mechanisms
We present an approach to analyze the applicability and secrecy properties of the selected security mechanisms when implemented with UDT. This approach extends applicability refinement methodology with symbolic model in UDT implementations. In our approach, we carry out a formal proof of correctness, therefore, determining applicability, using formal composition logic. This approach is modular, comprising a separate proof of each protocol section and providing insight into the network environment in which each section can be reliably employed. Moreover, the proof holds for a variety of failure recovery strategies and other implementation and configuration options. We derive our technique from the protocol composite logic on TLS and Kerberos in the literature. We, maintain, however, the novelty of our work for UDT specifically our newly developed mechanisms such as UDT-AO, UDT-DTLS, UDT-Kerberos(GSS-API) specifically for UDT. © 2012 IEEE